A Systematic Review on Hybrid Intrusion Detection System

Maseno, Elijah M.; Wang, Zenghui; Xing, Hongyan

doi:https://doi.org/10.1155/2022/9663052

Security and Communication Networks

On this page

Abstract Introduction Results and Discussion Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Review Article | Open Access

Volume 2022 | Article ID 9663052 | https://doi.org/10.1155/2022/9663052

A Systematic Review on Hybrid Intrusion Detection System

Elijah M. Maseno,^1,2Zenghui Wang ,²and Hongyan Xing³

Academic Editor: Leandros Maglaras

Received23 Dec 2021

Revised05 Mar 2022

Accepted29 Mar 2022

Published10 May 2022

Abstract

As computer networks keep growing at a high rate, achieving confidentiality, integrity, and availability of the information system is essential. Intrusion detection systems (IDSs) have been widely used to monitor and secure networks. The two major limitations facing existing intrusion detection systems are high rates of false-positive alerts and low detection rates on zero-day attacks. To overcome these problems, we need intrusion detection techniques that can learn and effectively detect intrusions. Hybrid methods based on machine learning techniques have been proposed by different researchers. These methods take advantage of the single detection methods and leverage their weakness. Therefore, this paper reviews 111 related studies in the period between 2012 and 2022 focusing on hybrid detection systems. The review points out the existing gaps in the development of hybrid intrusion detection systems and the need for further research in this area.

1. Introduction

The Internet has thrived, hence an increase in information sharing, making network security a problem of concern. Attackers around the globe have their eyes on computer systems with the motive of deploying attacks. The security of an electronic device is breached when a successful attack occurs. Intrusion is defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource” [1]. The Integrity aspect of a given infrastructure serves to ensure information remains unaltered by unauthorized users. Availability incorporates all aspects of the infrastructure that makes information readily available to users in the system. Confidentiality implies that the information in a given system is protected from unauthorized access and viewing by external parties. Therefore, a computer network is considered to be fully secured when the core objectives of these three attributes are sufficiently met. To help achieve these objectives, intrusion detection systems have been developed with the primary intent of monitoring incoming traffic in computer networks for any potential malicious intrusions.

An intrusion detection system (IDS) scans information system resources and reports any malicious activities in the system. More advanced IDSs have the capability of acting against the attacks. The action taken by this advanced IDS is to block the malicious users or activities from accessing the computer resources. We have two major categories of intrusion detection systems, which include misuse based and anomaly based. Misuse-based IDSs are developed to flag known attacks using patterns of the known attacks [2]. Misuse detection systems use patterns of well-known attacks or weak spots of the system to match and identify known intrusions. The positive side of misuse IDS is the ability to detect known attacks with great precision. The major challenge facing this type of IDS is their inability to flag new forms of attacks [3]. Misuse intrusion detection systems stand out because of their ability to flag many or all known attack patterns. The main problem facing misuse-based systems is the inability to flag emerging attacks or zero-day attacks. In general, they have a high rate of detection and low rate of false alarms compared to anomaly-based systems. The anomaly-based technique stores the normal behavior of a user in a database and compares it with the current behavior of the user [4]. If there is a substantial difference, then there is something wrong or abnormal. The major advantage of anomaly detection is that it does not require information of known attacks, and thus they can detect new forms of attacks. It has a high rate of false alarm compared to misuse-based IDS.

Hybrid intelligent systems have been developed to solve the challenges of the existing intrusion detection systems, such as high rate of false-positive alerts and low detection rate of novel attacks. Hybrid is a technique that combines misuse-based and anomaly-based techniques [5]. The hybrid technique resolves the disadvantages of the two legacy IDSs. Research shows that hybrid detection systems have better performance compared to single IDS.

Despite their proven performance, hybrid intrusion detection systems remain largely unexplored as seen from the few number of existing systematic literature reviews on the topic. This work, therefore, attempts to perform a comprehensive systematic literature review on hybrid intrusion detection systems between 2012 and 2022 with the objective of pointing out existing gaps in the development of these systems.

This study is arranged as follows. Section 2 introduces and discusses IDS. Section 3 provides a discussion on hybrid detection techniques. Section 4 discusses the methodology adopted in this paper. Section 5 discusses the findings. Section 6 points out the existing gaps in the reviewed literature and insights for future research. Table 1 summarizes all hybrid intrusion detection systems between the periods of 2012 and 2022. Finally, Table 2 lists all abbreviations in this study.

2. Intrusion Detection Systems

Denning introduced the technique of detecting intrusion, and since then researchers have worked hard to automatically detect intrusions in network systems [6]. Intrusion detection systems have been defined as the technique of using artificial intelligence, machine learning, and database systems to uncover malicious patterns in large datasets [2]. IDS can be broadly classified into two major categories, anomaly-based IDS and misuse-based IDS. Recently, other methods have emerged through the integration of anomaly and misuse intrusion IDSs to yield more categorizes.

2.1. Anomaly-Based Intrusion Detection Systems

Anomaly intrusion detection systems profile the normal behavior of a system. They monitor the normal operations of the system, and if they detect an anomaly, a flag is raised. Instead of keeping all patterns of well-known malicious dataset and updating as new patterns emerge, anomaly detection systems outline “normal” operations of a system and flag anything that deviates from the outline [2]. According to [7], anomaly IDS contains three stages: parameterization, training stage, and detection stage. In the parametrization stage, the data are formatted to capture the normal behavior of the device. After parameterization, the model is trained to represent the normal behavior. The detection stage is where the model detects and flags any deviation from the normal behavior based on the parameterized data [7].

Different intrusion detection mechanisms have been used in the development of the anomaly IDS. Mishra and Yadav [8] outlined the following techniques: data mining techniques, machine learning-based techniques, and statistical approaches. In these techniques, some researchers have used single algorithms while others have opted to integrate algorithms to improve the performance of the IDS [8].

Atefi et al. [9] developed anomaly detection based on profile signature using genetic algorithm and support vector machine algorithms. SVM outperformed GA in terms of precision rate. The researchers combined the two algorithms to form a hybrid IDS. The evaluation of the hybrid IDS produced better performance compared to the single algorithms.

Khoei et al. [10] investigated the application of three types of ensemble learning techniques for anomaly IDS. The three techniques applied were bagging, boosting, and stacking. The performance of the three techniques was compared with that of decision tree (DT), Naïve Bayes (NB), and K-nearest neighbor (KNN). The results showed that stacking-based ensemble learning techniques outperformed the traditional learning techniques in terms of detection rate, false alarm rate, miss detection rate, and accuracy rate.

Rakshe and Gonjari [11] developed an intrusion detection model based on SVM and random forest algorithms. The two algorithms were used for classification purposes. The models were evaluated using NSL-KDD. The models recorded detection accuracy of more than 95%. The performance of the two models was compared, and the random forest algorithm performed better than SVM in the classification of traffic.

Kumar et al. [12] developed an anomaly intrusion detection system based on four algorithms, namely, Naïve Bayes, ID3, MLP, and ensemble learning. The models were evaluated using CICIDS2017 dataset. The ensemble model was developed by combining NB, ID3, and MLP. The metrics used in the evaluation of the models were precision, recall, accuracy, and F1 score. ID3 (decision tree) performed better compared to the other models.

Once anomaly intrusion detection systems have been developed, they do not need regular updates unless a major user or system change has been done. Anomaly IDS can flag new forms of attacks, unlike the misuse IDS. Due to the above-mentioned characteristic of anomaly intrusion detection systems, they are considered to be more effective compared to their counterpart misuse intrusion detection system whose performance highly depends on stored patterns that require regular updates.

Profile creation is the main issue in anomaly intrusion detection because there is no fixed normal action or behavior of the user, and different users use computer systems differently. Capturing the profile of different users as normal has proven to be difficult, hence creating the main limitation of anomaly IDS. With the limitation arises the issue of high false-positive alerts because any abnormal action by the user is considered an attack. Research in this area is focused on how to profile normal action and how to reduce high false-positive rates.

2.2. Misuse/Signature Intrusion Detection System

Misuse intrusion detection systems depend on well-known attack signatures to capture attacks and to flag intrusions using well-known patterns. The well-known signatures are captured and labeled to assist in intrusion detection. The labeled patterns are stored in a database that needs regular updates when new patterns are captured. For detection of attacks, misuse-based IDS compares the received traffic with the stored signatures in the database; if the patterns are similar, the traffic is marked as an intrusion; else, the traffic will be marked as normal.

Unlike anomaly-based IDSs, misuse IDSs are easy to create as the pattern of malicious code is known. The code of the malicious malware is analyzed for a unique pattern, and this pattern is used to create the baseline signature to be used for detection. This makes misuse-based IDSs have a high positive detection rate as they depend on well-known information. Users must keep updating the corresponding databases for new signatures.

Over the years, research has been done on this area of misuse intrusion detection. Zhang et al. [13] proposed a misuse intrusion detection system for defending LAN users using the XGBoost algorithm. To develop and evaluate the model, the researchers used real-time data collected from LAN of 10 different Asian countries. The model was evaluated using collected data from 45 networks. The model recorded 97.5% in overall precision and 97.5% in the overall recall. In addition, the researchers observed that LAN intrusion detection is affected by ARP, MDNS, and NBNS protocols. The main advantage of this model is that it was evaluated using real-time network data which means that the model can be deployed in the existing LANs as it is or with minor changes.

Taher et al. [14] used the artificial neural network (ANN) and support vector machine (SVM) technique to develop a signature-based intrusion detection model. The two algorithms were to find the algorithm with the best performance in terms of classification. NSL-KDD dataset was used for the evaluation of the models. According to the researchers, the ANN-based model outperformed the SVM model in classification. The ANN-based model recorded a detection rate of 94.02%. The model can be further investigated using an updated dataset.

Erlacher and Dressler [15] proposed Internet Protocol Flow Information Export (IPFIX) signature-based intrusion detection known as FIXIDS. The model uses the newly added HTTP-related flow information elements (IEs) to detect intrusion in high-speed networks. The model outperformed Snort in general. This technique can be investigated further in future for standard flow.

Tug et al. [16], using blockchain technology, proposed collaborative signature-based intrusion detection system referred to as CBSigIDS. The model uses blockchain technology to incrementally update and distribute secure signatures database in a collaborative network. Evaluation of the model shows that blockchain technology can be used to improve the performance of signature-based IDS in secure manure. In future, research can be done on the application of blockchain technology in anomaly IDS.

The main limitation with misuse intrusion detection systems is that they cannot detect zero-day attacks or new forms of attacks. At the point of realization of a new form of attack and the creation of the signature of the attack, most of the computer systems are already left vulnerable. Misuse intrusion detection systems also require large storage memory to store the signature library.

The focus area of research on this type of intrusion detection system is on how to reduce the volume consumed by the database. Another potential area of research is how to make this IDS able to detect zero-day attacks.

3. Hybrid Intrusion Detection System

With the evolving variety of attacks, the two classical IDSs mentioned above cannot protect our information systems effectively. New methods of combining different intrusion detection systems to improve their effectiveness have been proposed. Research has shown that combined algorithms perform better than single algorithms [17].

The goal of hybrid intrusion detection systems is to combine several detection models to achieve better results. A hybrid intrusion detection system consists of two components. The first component processes the unclassified data. The second component takes the processed data and scans it to flag out intrusion activities [18].

Hybrid intrusion detection systems are based on combining two learning algorithms. Each learning algorithm possesses unique features, which assist in improving the performance of the hybrid [19]. Hybrid IDSs can be broadly categorized into cascaded hybrid, integrated-based hybrid, and cluster + single hybrid.

In [5], Kim et al. proposed a hybrid intrusion detection system based on signature-based and anomaly detection components. In the first stage of the model, a misuse detection component was applied to detect known attacks based on the captured patterns. This component was based on the C4.5 decision tree algorithm. The second stage consisted of an anomaly detection component to leverage the shortcomings of the misuse detection component. To develop the second component of the model, multiple one-class SVM algorithms were used. The performance of the model was tested using the KDD Cup 99 dataset. The model performed better than the single traditional IDS.

In [20], the researchers combined feature extraction techniques and classification techniques to increase detection rate while at the same time reducing false alarm rate. In the first stage of the hybrid, chi-square was used for feature selection. The goal of this stage was to reduce the number of features in the dataset but maintaining the important features that capture the attacks. In the second stage, a multiclass support vector machine (SVM) algorithm was used for classification. Multiclass support vector machine was used in this model to improve classification rate. The model was evaluated using the NSL-KDD dataset, with the results showing that the model recorded a high detection rate with a low false alarm rate.

In [21], Khraisat et al. developed a hybrid detection model based on a C5 decision tree classifier and one-class support vector machine (OC-SVM). The model consisted of two major components. A C5.0 decision tree classifier was used to develop the first component of the model for misuse detection. The second component was developed using OC-SVM for anomaly detection. The researchers tested the performance of the model using the NSL-KDD and Australian Defence Force Academy (ADFA) datasets, and the results showed that the hybrid model was superior to single-based models.

Khan proposed a hybrid intrusion detection model based on convolutional neural network (CNN) and recurrent neural network (RNN). The research aimed to improve feature extraction, which is fundamental in the performance of intrusion detection systems. CNN was used in the first phase to extract local features in the dataset, with the RNN being used in the second phase to extract temporal features in the dataset. This technique resolved the issue of data imbalance on the available dataset. To test the performance of the model, the CSE-CIC-DS2018 dataset was used, which is the updated dataset. The model outperformed other intrusion detection models, with an intrusion detection accuracy of 97.75% [22].

In [23], the researchers proposed a hybrid model intrusion detection model for smart home security. The model consisted of two components. The first component applied machine learning algorithms to real-time intrusion detection. Algorithms used in this component included random forest, XGBoost, decision tree, and K-nearest neighbors. The second component applied the misuse intrusion detection technique for detection of known attacks. To test the performance of the model, the CSE-CIC-IDS2018 and NSL-KDD datasets were used. The model recorded an outstanding performance for detection of both network intrusion and user-based anomalies in smart homes.

In [24], the authors proposed a hybrid intrusion detection system for online network intrusion detection. The researchers integrated improved particle swarm optimization and regularized extreme learning machine (IPSO-IRELM). In this study, IPSO was used to optimize IRELM. The model was tested using UCI balance dataset, NSL-KDD dataset, and UNSWNB15 dataset. The model recorded a high accuracy rate as well as capabilities to classify the minority features.

In [25], a hybrid detection model based on Spark ML and the convolutional-LSTM (Conv-LSTM) network was proposed. The model consists of two components: the first component uses Spark ML to detect anomaly intrusion while the second component deploys Conv-LSTM for misuse detection. To investigate the performance of the model, the researchers used ISCX-UNB dataset. The model recorded an outstanding performance of 97.29% accuracy in detection. The researchers proposed that the model can be evaluated further using a different dataset as a way of attempting to reproduce the results.

In [26], the authors developed an intrusion detection system by combining firefly and Hopfield neural network (HNN) algorithms. The researchers used Firefly algorithm to detect denial-of-sleep attacks through node clustering and authentication.

In [27], the researchers proposed a hybrid detection system for VANET (vehicular ad hoc network). The model consisted of two components. The researchers deployed a classification algorithm on the first component and a clustering algorithm on the second component. In the first stage, they used random forest to detect known attacks through classification. For the second stage, they deployed weighted K-means algorithm for the detection of anomaly intrusion. The model was evaluated using the current dataset, CICIDS2017 dataset. The researchers proposed further evaluation of the model in real-world environments. In another work [28], the researchers integrated random forest algorithm with unsupervised clustering algorithm based on coresets. This model was used for detection of real-time intrusions in VANET. Compared with other models, the model recorded better performance in terms of accuracy, computational time, and detection rate.

Barani [29] proposed a hybrid detection model based on genetic algorithm and artificial immune system (AIS) (GAAIS) for intrusion detection on ad hoc on-demand distance vector-based mobile ad hoc network (AODV-based MANET). The model was evaluated using different routing attacks. Compared with other models, the model improved detection rate and decreased the false alarm rate.

In [30], the researchers used integrated firefly algorithm with a genetic algorithm for feature selection MANET. To classify the selected features in the first stage of the model as either intrusion or normal, the researchers used replicator neural network for classification. The model performance was compared to that of fuzzy-based IDS. The model outperformed fuzzy-based IDS in accuracy as well as precision and recall.

4. Methodology

The methodology used consists of three primary phases: planning, conducting, and reporting as outlined by Kitchenham and Charters [31]. The three steps can be explained as follows:(a)Planning: the main goal of this phase is to define the research goals and the review protocol. Review protocol defines how the review will be done. It consists of all the elements of review.(b)Conducting: once the protocol has been defined, the review process can start. The main stages in this phase include identifying relevant research, selecting primary studies, and extracting required data and synthesis data.(c)Report: finally, in reporting the review, data extraction strategies are defined and the steps to be used in data synthesis are outlined.

5. Review Process

5.1. Research Questions (RQs)

The main objective of this paper was to analyze the hybrid intrusion detection system techniques that were developed from 2012 to 2022. The following research questions were developed in line with the main objective:(a)RQ1: which hybrid techniques have been used in intrusion detection systems? Objective: to identify techniques used in the development of hybrid IDS.(b)RQ2: which classical algorithms were used in the integration of the hybrid? Objective: to identify commonly used algorithms in hybrid IDS.(c)RQ3: which evaluation metrics are used in the hybrid intrusion detection systems? Objective: to identify commonly used metrics in the evaluation of IDS.(d)RQ4: which datasets are used in hybrid intrusion detection system research? Objective: to identify commonly used datasets in hybrid IDS.

5.2. Search Strategy

Research shows that it is important to be guided by a search strategy in the systematic review [31]. In defining our search strategy, we were guided by the steps outlined by Thyago et al. [32]. The main two steps in this process are defining keywords and the sources of the study. The keywords were derived from the research questions. The keywords and synonyms used are as follows:(1)Hybrid OR Integrated OR Cascaded.(2)Intrusion detection System OR IDS(3)Artificial Intelligence OR Machine Learning

We used the Boolean operators (OR) and (AND) to define the search string. The operator (OR) was used between synonyms, while (AND) was used between the keywords. The following search strings were defined:(1)“Hybrid” OR “Integrated” OR “Cascaded”(2)“Intrusion detection System” OR “IDS”(3)“Artificial Intelligence” OR “Machine Learning”

Finally, the search strings were combined as follows: ((1) AND (2) OR (1) AND (2) AND (3)).

The researchers used the following digital libraries that are recognized in publishing research in the area of intrusion detection systems [33].(i)The Institute of Electrical and Electronics Engineers (IEEE) Library (https://ieeexplore.ieee.org/)(ii)The Association for Computing Machinery (ACM) Digital Library (https://dl.acm.org/)(iii)Springer Link (https://link.springer.com/)(iv)Science Direct (https://www.sciencedirect.com)

Several searches were done on the above listed libraries but the search strings that yielded better result on each database are as follows:(i)IEEE: ((“Hybrid” OR “Integrated” OR “Cascaded”) AND (“Intrusion detection System” OR “IDS”) AND (Artificial Intelligence OR Machine Learning))(ii)ACM: [All: [[all: “hybrid”]] OR [All: [all: “integrated”]] OR [[All: [all: “cascaded”]]] AND [[All: [[all:] OR [All: “intrusion detection system”] OR [All:]]]] OR [[All: [all: “ids”]]] AND [[All: [publication] OR [All:]]]](iii)Springer Link: ((“Hybrid” OR “Integrated” OR “Cascaded”) AND (“Intrusion detection System” OR “IDS”) AND (Artificial Intelligence OR Machine Learning))(iv)Science Direct: ((“Hybrid” OR “Integrated” OR “Cascaded”) AND (“Intrusion detection System” OR “IDS”))

The initial search obtained 2,084 articles. Table 3 shows the number of articles obtained from the digital database.

5.3. Publication Selection Criteria

For inclusion criteria, all primary studies that have reviewed hybrid intrusion detection systems and articles published between January 2012 and February 2022 were included in the study. Single algorithm studies, secondary studies, short papers, duplicated studies, non-English studies, and incomplete papers were excluded. In addition, all studies that were not relevant to the research questions were excluded from the research. Table 4 summarizes the inclusion/exclusion criteria.

5.4. Study Selection Process

To conduct the selection process, the papers were selected according to the established strings, and papers were also selected based on the title, abstract, and keywords on this stage. The selected papers from the first selection process were subjected through the second selection process, which was based on reading the entire text of the paper.

The primary reviewer conducted the selection process. The secondary reviewer conducted an inter-rater reliability test on the selected papers. This was done to make sure that there was no bias in the selection process from the primary reviewer. In the first step, 1875 studies were excluded by the reviewers as they did not satisfy the inclusion criteria. Of those excluded, 1786 were out of scope, 8 were grey studies, 27 were single algorithm studies, 53 were short papers, and 1 was duplicate paper. In the second step, 98 studies were excluded by the reviewers as they did not satisfy the inclusion criteria. Of those excluded, 78 were out of scope, 2 were single algorithm studies, 17 were short papers, 1 was non-English paper, and 1 was incomplete paper. In this research 111 papers were selected for the review as shown in Table 5.

5.5. Data Extraction Process

The objective of this step is to provide an answer to the research questions for each paper in a semi-structured way. To avoid bias in the data extraction process, a data extraction form was developed. The data extraction form captured key elements to answer the research questions as shown in Table 6.

6. Results and Discussion

6.1. Year of Publication

Figure 1 shows the number of publications per year. The year with the most publication is 2020. The graph indicates a continuous increase in research in the field of hybrid IDS. This can be attributed to the desire of improving the efficiency and effectiveness of IDS.

6.2. Research Questions (RQs)

In this section, the outcome of the literature review will be analyzed and discussed as per the research questions.

RQ1: which hybrid techniques have been used in intrusion detection systems?

In this question, the research sought to understand which techniques were used in the development of the hybrid IDS. Research shows that hybrid approaches can be broadly categorized into three: cascaded hybrid, integrated-based hybrid, and cluster + single hybrid.

As shown in Table 7, the most used hybrid technique was the cascaded hybrid technique (72 papers), the integrated-based hybrid technique (36 papers), and the cluster + single technique (3 papers).

RQ2: which classical algorithms were used in the integration of the hybrid?

In this question, the researcher sought to understand the classical algorithms applied to hybrid techniques. It was established that the most used algorithms in hybrid detection systems were SVM, DT, K-means, Naïve Bayes, KNN, GA, and PSO as shown in Table 8. The rest of algorithms appeared less than 5 times in the selected papers.

RQ3: which are the evaluation metrics used in the hybrid intrusion detection system?

Metric is the measure of the performance of ML algorithm on a given dataset. Metrics are used mostly to compare the performance of different models and determine the most effective one.

Accuracy is a frequently applied metric. The purpose of this metric is to compare the correctly detected outcomes against the total detected outcomes.

True-positive rate (TPR), also known as either recall, sensitivity, or detection rate, is the fraction of correctly detected positive outcomes compared to positive observation.

False-positive rate (FPR), which is referred to as false alarm rate (FAR) or fall-out, is the fraction of wrongly predicted positive outcomes compared to actual negative observations.

True-negative rate (TNR) is also called specificity. This metric is the ratio of correctly predicted negative outcomes compared to actually negative observations.

False-negative rate (FNR) is also called miss rate. This metric is the ratio of wrongly predicted negative outcomes compared to positive observations.

F-score/F-measure is a measure that combines a model’s precision and recall into an overall accuracy figure. F1 scores range from 0 to 1 with 1 being perfect and 0 indicating poor performance.

Precision is the ratio of correctly predicted positive outcome compared to positive prediction.

Time is a metric used to measure the efficiency of a model. This can be done either during the training stage or during the evaluation stage.

This study found that three metrics were used in more than 50% of the research as shown in Figure 2. These are accuracy, detection rate, and false alarm rate. Accuracy tests the performance of a model in terms of the number of correctly predicted results. The higher the accuracy, the better the model. This explains why the metric has been used in most of the studies. TPR or detection rate measures the capabilities of a model to flag attacks. This is a very important metric as the objective of any intrusion detection system is to flag attacks. Lastly, false alarm rate (FAR) is the measure of false alarms produced by the model. The more the false alarms, the poor the model. The metric can be used by the designers to improve the performance of the model by reducing or eliminating false alarms.

The above three metrics form the key evaluation metrics for any detection model. With the three metrics, it is possible to determine the overall performance of a model.

RQ4: which datasets were used in hybrid intrusion detection system research?

Figure 3 depicts datasets used in hybrid intrusion detection system research. Dataset used is one of the most important elements in the development of anomaly-based intrusion detection systems. Despite that, the conducted review indicates that researchers are using old datasets in developing hybrid intrusion detection systems. The two most commonly used datasets are KDDCup99 and NSL-KDD. Research shows that these two datasets were developed in 1999. With the ever-changing digital landscape, these datasets cannot be used to develop effective models to combat current cyber threats. The analysis of SLR has shown that we have very few updated datasets to be used in the existing network infrastructure. The pie chart is the representation of our results.

7. Conclusion

This study has filled the gap that exists in the current body of knowledge on systematic literature review on hybrid intrusion detection systems. This systematic analysis on hybrid IDS points out the existing gaps in the development of hybrid intrusion detection systems and the need for further research on this area. The analysis of SLR indicates that the field of hybrid intrusion detection techniques is an area of focus for many researchers due to its potential of solving the issue of intrusion because this technique increases the performance and efficiency of intrusion detection systems compared to a single algorithm. Investigation on how well to integrate the existing algorithms is of the essence in this field. Most of the hybrid intrusion detection systems are based on three major categories: cascaded hybrid technique, integrated-based hybrid technique, and cluster + single technique. Based on this work, most of the studies focused on cascaded hybrid technique (65%) This method combines the classical algorithms either parallel or in serial format. The second most widely used technique according to the conducted analysis is the integrated-based hybrid technique (35%). This technique aims at optimizing the classical algorithms. Integrated-based hybrids are more efficient and give better results compared to other forms of hybrid techniques. Thus, to develop an efficient and effective IDS, integrated-based hybrid should be adopted in developing the IDS. Lastly, cluster + single technique was the least used technique (3%). The literature review has shown that the existing algorithms have the potential to solve the problem of intrusion but cannot still evolve with the ever-changing digital environment. Most of the models rely on human intervention to update them. There is a need for models which can learn their environment and update themselves without human input.

According to the conducted study, researchers have deployed different types of algorithms in the development of hybrid intrusion detection. The commonly used algorithm includes ANN, SVM, DT, K-means, Naïve Bayes, KNN, GA, and PSO.

For evaluation of the models, fifteen types of datasets were used in the analyzed studies. The datasets that recorded high utilization in the analyzed studies include KDDCup99 and NSL-KDD. Despite their high recorded popularity, these datasets have received criticism from researchers. Most researchers point out that these datasets were developed years ago, and hence they are outdated and ineffective in developing modern intrusion detection systems. In addition, researchers have observed that these datasets do not capture the current forms of detection, and hence they lack the capabilities of defending modern network infrastructure. To resolve this challenge, the analyzed literature review observed emerging datasets which capture current intrusions. These include CICIDS2017, UNSW-NB15, CSE-CIC-IDS2018, and Bot-IoT datasets. The problem is that most of the studies are still using old datasets. For effective IDS, researchers in this field of intrusion detection systems need to embrace the updated datasets.

The three most commonly used metrics for performance evaluation of IDS are accuracy, TPR, and FPR. Future studies should consider also including CPU utilization and detection time as performance metrics. The detection of intrusion should be done on a real-time basis before any damage is caused, and hence the detection time should be as low as possible. In the development of intrusion detection systems, resource utilization should be considered. In this review, only a few papers included CPU utilization as a performance metric.

Data Availability

The secondary data supporting this systematic review are from previously reported studies and datasets, which have been cited. The processed data are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research was supported by the National Key Research and Development Program of China (grant nos. 2019YFE012990 and 2018YFC1506102), National Natural Science Foundation of China (grant no. 41605121), South African National Research Foundation (grant nos. 114911, 137951, and 132797), and Tertiary Education Support Programme (TESP) of South African ESKOM.

References

D. Tsai, W. Tai, and C. Chang, “A hybrid intelligent intrusion detection system to recognize novel attacks,” in Proceedings of the IEEE 37th Annual International Carnahan Conference on Security Technology, pp. 428–434, Taipei, Taiwan, October 2003.
View at: Google Scholar
H. K. Shaikha and W. M. Abduallah, “Review of intrusion detection systems,” Academic Journal of Nawroz University, vol. 6, no. 3, pp. 106–111, 2017.
View at: Publisher Site | Google Scholar
H. J. Highland, “A pattern matching model for misuse intrusion detection,” Computers & Security, vol. 14, no. 1, p. 28, 1995.
View at: Publisher Site | Google Scholar
H. Om and A. Kundu, “A hybrid system for reducing the false alarm rate of anomaly intrusion detection system,” in Proceedings of the 2012 1st International Conference on Recent Advances in Information Technology (RAIT), pp. 131–136, Dhanbad, India, March 2012.
View at: Google Scholar
G. Kim, S. Lee, and S. Kim, “A novel hybrid intrusion detection method integrating anomaly detection with misuse detection,” Expert Systems with Applications, vol. 41, no. 4, pp. 1690–1700, 2014.
View at: Publisher Site | Google Scholar
D. E. Denning, “An intrusion-detection model,” IEEE Transactions on Software Engineering, vol. SE-13, no. 2, pp. 222–232, 1987.
View at: Publisher Site | Google Scholar
S. Agrawal and J. Agrawal, “Survey on anomaly detection using data mining techniques,” Procedia Computer Science, vol. 60, no. 1, pp. 708–713, 2015.
View at: Publisher Site | Google Scholar
A. Mishra and P. Yadav, “Anomaly-based IDS to detect attack using various artificial intelligence machine learning algorithms: a review,” in Proceedings of the 2nd International Conference on Data, Engineering and Applications, IDEA, Bhopal, India, February 2020.
View at: Google Scholar
K. Atefi, S. Yahya, A. Rezaei, and S. H. M. H. Binti, “Anomaly detection based on profile signature in network using machine learning technique,” in Proceedings of the 2016 IEEE Region 10 Symposium (TENSYMP), pp. 71–76, Sanur, Bali island, Indonesia, May 2016.
View at: Publisher Site | Google Scholar
T. T. Khoei, G. Aissou, W. C. Hu, and N. Kaabouch, “Ensemble learning methods for anomaly intrusion detection system in smart grid,” in Proceedings of the 2021 IEEE International Conference on Electro Information Technology (EIT), pp. 129–135, Mt. Pleasant, MI, USA, May 2021.
View at: Google Scholar
T. Rakshe and V. Gonjari, “Anomaly based network intrusion detection using machine learning techniques,” International Journal of Engineering Research and Technology, vol. 6, no. 5, pp. 216–220, 2017.
View at: Google Scholar
V. Kumar, V. Choudhary, V. Sahrawat, and V. Kumar, “Detecting intrusions and attacks in the network traffic using anomaly based techniques,” in Proceedings of the 2020 5th International Conference on Communication and Electronics Systems (ICCES), pp. 554–560, Coimbatore, India, June 2020.
View at: Publisher Site | Google Scholar
Z. Zhang, P. Chirupphapa, H. Esaki, and H. Ochiai, “XGBoosted misuse detection in LAN-internal traffic dataset,” in Proceedings of the 2020 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 1–6, Arlington, VA, USA, November 2020.
View at: Google Scholar
K. A. Taher, B. Mohammed Yasin Jisan, and M. M. Rahman, “Network intrusion detection using supervised machine learning technique with feature selection,” in Proceedings of the 2019 International Conference on Robotics, Electrical and Signal Processing Techniques (ICREST), pp. 643–646, Dhaka, Bangladesh, January 2019.
View at: Publisher Site | Google Scholar
F. Erlacher and F. Dressler, “FIXIDS: a high-speed signature-based flow intrusion detection system,” in Proceedings of the NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–8, Taipei, Taiwan, April 2018.
View at: Publisher Site | Google Scholar
S. Tug, W. Meng, and Y. Wang, “CBSigIDS: towards collaborative blockchained signature-based intrusion detection,” in Proceedings of the 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1228–1235, Halifax, NS, Canada, July 2018.
View at: Publisher Site | Google Scholar
U. S. Musa, S. Chakraborty, M. M. Abdullahi, and T. Maini, “A review on intrusion detection system using machine learning techniques,” in Proceedings of the 2021 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS), pp. 541–549, Greater Noida, India, February 2021.
View at: Publisher Site | Google Scholar
M. Khari and A. Karar, “Analysis on intrusion detection by machine learning techniques: a review,” International Journal of Advanced Research in Computer Science and Software Engineering, vol. 3, no. 4, 2013.
View at: Google Scholar
C.-F. Tsai, Y.-F. Hsu, C.-Y. Lin, and W.-Y. Lin, “Intrusion detection by machine learning: a review,” Expert Systems with Applications, vol. 36, no. 10, Article ID 12000, 2009.
View at: Publisher Site | Google Scholar
I. Sumaiya Thaseen and C. Aswani Kumar, “Intrusion detection model using fusion of chi-square feature selection and multi class SVM,” Journal of King Saud University - Computer and Information Sciences, vol. 29, no. 4, pp. 462–472, 2017.
View at: Publisher Site | Google Scholar
A. Khraisat, I. Gondal, P. Vamplew, J. Kamruzzaman, and A. Alazab, “Hybrid intrusion detection system based on the stacking ensemble of C5 decision tree classifier and one class support vector machine,” Electronics, vol. 9, no. 1, p. 173, 2020.
View at: Publisher Site | Google Scholar
M. A. Khan, “HCRNNIDS: hybrid convolutional recurrent neural network-based network intrusion detection system,” Processes, vol. 9, no. 5, p. 834, 2021.
View at: Publisher Site | Google Scholar
F. Alghayadh and D. Debnath, “A hybrid intrusion detection system for smart home security based on machine learning and user behavior,” Advances in Internet of Things, vol. 11, no. 01, pp. 10–25, 2021.
View at: Publisher Site | Google Scholar
Y. Tang and C. Li, “An online network intrusion detection model based on improved Regularized Extreme learning machine,” IEEE Access, vol. 9, pp. 94826–94844, 2021.
View at: Publisher Site | Google Scholar
M. Khan, M. Karim, and Y. Kim, “A scalable and hybrid intrusion detection system based on the convolutional-LSTM network,” Symmetry, vol. 11, no. 4, p. 583, 2019.
View at: Publisher Site | Google Scholar
R. Fotohi and B. Firoozi, “A novel countermeasure technique to protect WSN against denial-of-sleep attacks using firefly and Hopfield neural network (HNN) algorithms,” The Journal of Supercomputing, vol. 76, no. 9, pp. 6860–6886, 2020.
View at: Publisher Site | Google Scholar
H. Bangui, M. Ge, and B. Buhnova, “A hybrid data-driven model for intrusion detection in VANET,” Procedia Computer Science, vol. 184, pp. 516–523, 2021.
View at: Publisher Site | Google Scholar
H. Bangui, M. Ge, and B. Buhnova, “A hybrid machine learning model for intrusion detection in VANET,” Computing, vol. 104, no. 3, pp. 503–531, 2021.
View at: Publisher Site | Google Scholar
F. Barani, “A hybrid approach for dynamic intrusion detection in ad hoc networks using genetic algorithm and artificial immune system,” in Proceedings of the 2014 Iranian Conference on Intelligent Systems (ICIS), Auckland, New Zealand, February 2014.
View at: Publisher Site | Google Scholar
D. Shona and M. S. Kumar, “Efficient IDs for MANET using hybrid firefly with a genetic algorithm,” in Proceedings of the 2018 International Conference on Inventive Research in Computing Applications (ICIRCA), pp. 191–194, Coimbatore, India, July 2018.
View at: Publisher Site | Google Scholar
K. Barbara and C. Stuart, “Guideline for Performing Systematic Literature Reviews in Software Engineering,” Elsevier, Amsterdam, Netherland, 2007, EBSE Technical Report.
View at: Google Scholar
T. Thyago, I. I. Bittencourt, S. Isotani, and A. Silva, “Does peer assessment in on-line learning environments work? A systematic review of the literature,” Computers in Human Behavior, vol. 64, pp. 94–107, 2016.
View at: Google Scholar
F. Salo, M. Injadat, A. B. Nassif, A. Shami, and A. Essex, “Data mining techniques in intrusion detection systems: a systematic literature review,” IEEE Access, vol. 6, Article ID 56058, p. 56046, 2018.
View at: Publisher Site | Google Scholar
S. Mansour and Z. Jadidi, “Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network,” Neural Computing & Applications, vol. 24, 2012.
View at: Google Scholar
S. Mansour and S. R. Maryam, “Gravitational search algorithm–optimized neural misuse detector with selected features by fuzzy grids–based association rules mining,” Neural Computing & Applications, vol. 23, no. 7-8, pp. 2451–2463, 2012.
View at: Publisher Site | Google Scholar
K. Qazanfari, M. S. Mirpouryan, and H. Gharaee, “A novel hybrid anomaly-based intrusion detection method,” in Proceedings of the 6th International Symposium on Telecommunications (IST), pp. 942–947, Tehran, Iran, November 2012.
View at: Publisher Site | Google Scholar
R. Chitrakar and C. Huang, “Anomaly based intrusion detection using hybrid learning approach of combining k-medoids clustering and naïve bayes classification,” in Proceedings of the 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing, pp. 1–5, Limassol, Cyprus, August 2012.
View at: Google Scholar
R. Chitrakar and H. Chuanhe, “Anomaly detection using Support Vector Machine classification with k-Medoids clustering,” in Proceedings of the 2012 Third Asian Himalayas International Conference on Internet, pp. 1–5, Kathmundu, Nepal, November 2012.
View at: Publisher Site | Google Scholar
P. Natesan and P. Rajesh, “Cascaded classifier approach based on Adaboost to increase detection rate of rare network attack categories,” in Proceedings of the 2012 International Conference on Recent Trends in Information Technology, pp. 417–422, Chennai, Tamil Nadu, India, April 2012.
View at: Publisher Site | Google Scholar
W. Feng, Q. Zhang, G. Hu, and J. X. Huang, “Mining network data for intrusion detection through combining SVMs with ant colony networks,” Future Generation Computer Systems, vol. 37, pp. 127–140, 2014.
View at: Publisher Site | Google Scholar
S. Anil and R. Remya, “A hybrid method based on genetic algorithm, self-organised feature map, and support vector machine for better network anomaly detection,” in Proceedings of the 2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT), pp. 1–5, Tiruchengode, India, July 2013.
View at: Publisher Site | Google Scholar
A. S. A. Aziz, A. E. Hassanien, S. E.-O. Hanaf, and M. F. Tolba, “Multi-layer hybrid machine learning techniques for anomalies detection and classification approach,” in Proceedings of the 13th International Conference on Hybrid Intelligent Systems (HIS 2013), pp. 215–220, Gammarth, Tunisia, December 2013.
View at: Publisher Site | Google Scholar
M. Barati, A. Abdullah, N. I. Udzir, R. Mahmod, and N. Mustapha, “Distributed Denial of Service detection using hybrid machine learning technique,” in Proceedings of the 2014 International Symposium on Biometrics and Security Technologies (ISBAST), pp. 268–273, Kuala Lumpur, Malaysia, August 2014.
View at: Publisher Site | Google Scholar
R. Rasoul, C. Milad, E. Mohammad et al., “A hybrid method consisting of GA and SVM for intrusion detection system,” Neural Computing & Applications, vol. 27, no. 6, pp. 1669–1676, 2015.
View at: Publisher Site | Google Scholar
Y. Maleh, A. Ezzati, Y. Qasmaoui, and M. Mbida, “A global hybrid intrusion detection system for wireless sensor networks,” Procedia Computer Science, vol. 52, pp. 1047–1052, 2015.
View at: Publisher Site | Google Scholar
S. M. H. Bamakan, B. Amiri, M. Mirzabagheri, and Y. Shi, “A new intrusion detection approach using PSO based multiple criteria linear programming,” Procedia Computer Science, vol. 55, pp. 231–237, 2015.
View at: Publisher Site | Google Scholar
R. Ujwala, M. Nilesh, and P. Puja, “Feature selection based hybrid anomaly intrusion detection system using K means and RBF kernel function,” Procedia Computer Science, vol. 45, pp. 428–435, 2015.
View at: Publisher Site | Google Scholar
Y. Canbay and S. Sagiroglu, “A hybrid method for intrusion detection,” in Proceedings of the 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 156–161, Miami, Florida, USA, December 2015.
View at: Publisher Site | Google Scholar
S. Varuna and P. Natesan, “An integration of k-means clustering and naïve bayes classifier for Intrusion Detection,” in Proceedings of the 2015 3rd International Conference on Signal Processing, Communication and Networking (ICSCN), pp. 1–5, Chennai, Tamil Nadu, India, March 2015.
View at: Google Scholar
A.-R. Hedar, M. A. Omer, A. F. Al-Sadek, and A. A. Sewisy, “Hybrid evolutionary algorithms for data classification in intrusion detection systems,” in Proceedings of the 2015 IEEE/ACIS 16th International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 1–7, Takamatsu, June 2015.
View at: Publisher Site | Google Scholar
K. Jasmin, J. Samed, and S. Abdulhamit, “An effective combining classifier approach using tree algorithms for network intrusion detection,” Neural Computing & Applications, vol. 28, pp. 1051–1058, 2016.
View at: Publisher Site | Google Scholar
A. D. Landress, “A hybrid approach to reducing the false positive rate in unsupervised machine learning intrusion detection,” 2016, pp. 1–6, 2016.
View at: Publisher Site | Google Scholar
A. Wankhade and K. Chandrasekaran, “Distributed-intrusion detection system using combination of ant colony optimization (ACO) and support vector machine (SVM),” in Proceedings of the 2016 International Conference on Micro- Electronics and Telecommunication Engineering (ICMETE), pp. 646–651, Ghaziabad, India, September 2016.
View at: Publisher Site | Google Scholar
H. M. Tahir, A. M. Said, N. H. Osman, N. H. Zakaria, P. N. M. Sabri, and N. Katuk, “Oving K-means clustering using discretization technique in network intrusion detection system,” in Proceedings of the 2016 3rd International Conference on Computer and Information Sciences (ICCOINS), pp. 248–252, Kuala Lumpur, Malaysia, August 2016.
View at: Publisher Site | Google Scholar
V. V. Kumari and P. R. K. Varma, “A semi-supervised intrusion detection system using active learning SVM and fuzzy c-means clustering,” in Proceedings of the 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), pp. 481–485, Palladam, Tamil Nadu, India, February 2017.
View at: Publisher Site | Google Scholar
J. Zhu, J. Mu, D. Wei, B. Feng, Y. Wang, and K. Yin, “A spatial correlation-based hybrid method for intrusion detection,” in Proceedings of the 2017 IEEE 9th International Conference on Communication Software and Networks (ICCSN), pp. 1097–1102, 2017.
View at: Google Scholar
Y. Y. Aung and M. M. Min, “An analysis of random forest algorithm-based network intrusion detection system,” in Proceedings of the 2017 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 127–132, Kanazawa, Japan, June 2017.
View at: Publisher Site | Google Scholar
F. Meng, Y. Fu, F. Lou, and Z. Chen, “An effective network attack detection method based on kernel PCA and LSTM-RNN,” in Proceedings of the 2017 International Conference on Computer Systems, Electronics and Control (ICCSEC), pp. 568–572, Dalian, China, December 2017.
View at: Publisher Site | Google Scholar
S. M. A. M. Gadal and R. A. Mokhtar, “Anomaly detection approach using hybrid algorithm of data mining technique,” in Proceedings of the 2017 International Conference on Communication, Control, Computing and Electronics Engineering (ICCCCEE), pp. 1–6, Khartoum, Sudan, January 2017.
View at: Publisher Site | Google Scholar
S. AlHamouz and A. Abu-Shareha, “Hybrid classification approach using self-organizing map and back propagation artificial neural networks for intrusion detection,” in Proceedings of the 2017 10th International Conference on Developments in eSystems Engineering (DeSE), pp. 83–87, Paris, France, June 2017.
View at: Publisher Site | Google Scholar
P. Shukla, “ML-IDS: a machine learning approach to detect wormhole attacks in Internet of Things,” in Proceedings of the 2017 Intelligent Systems Conference (IntelliSys), pp. 234–240, London, United Kingdom, September 2017.
View at: Google Scholar
A. Pattawaro and C. Polprasert, “Anomaly-based network intrusion detection system through feature selection and hybrid machine learning technique,” in Proceedings of the 2018 16th International Conference on ICT and Knowledge Engineering (ICT&KE), pp. 1–6, Bangkok, Thailand, November 2018.
View at: Publisher Site | Google Scholar
S. Sagar, A. Shrivastava, and C. Gupta, “Feature Reduction and selection based optimization for hybrid intrusion detection system using PGO followed by SVM,” in Proceedings of the 2018 International Conference on Advanced Computation and Telecommunication (ICACAT), pp. 1–7, Bhopal, India, December 2018.
View at: Publisher Site | Google Scholar
P. Bhatt and A. Morais, “HADS: hybrid anomaly detection system for IoT environments,” in Proceedings of the 2018 International Conference on Internet of Things, Embedded Systems and Communications (IINTEC), pp. 191–196, Hammamet, Tunisia, December 2018.
View at: Publisher Site | Google Scholar
P. Singh and M. Venkatesan, “Hybrid approach for intrusion detection system,” in Proceedings of the 2018 International Conference on Current Trends towards Converging Technologies (ICCTCT), pp. 1–5, Coimbatore, India, March 2018.
View at: Publisher Site | Google Scholar
S. Rani and S. Jain, “Hybrid approach to detect network based intrusion,” in Proceedings of the 2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA), pp. 1–5, Pune, India, August 2018.
View at: Publisher Site | Google Scholar
A. S. Sadiq, B. Alkazemi, S. Mirjalili, N. Ahmed, I. Ali, and G. K. Zrar, “An efficient IDS using hybrid magnetic Swarm optimization in WANETs,” IEEE Access, vol. 6, Article ID 29053, 2018.
View at: Publisher Site | Google Scholar
N. T. Pham, E. Foo, S. Suriadi, H. Jeffrey, and H. F. M. Lahza, “Improving performance of intrusion detection system using ensemble methods and feature selection,” in Proceedings of the Australasian Computer Science Week Multiconference (ACSW ’18), pp. 1–6, Melbourne, VIC, Australia, February 2018.
View at: Google Scholar
F. Zohreh and L. Yue, “Intrusion detection system by using hybrid algorithm of data mining technique,” in Proceedings of the ICSCA 2018: Proceedings of the 2018 7th International Conference on Software and Computer Applications, pp. 119–123, Kuantan, Malaysia, February 2018.
View at: Google Scholar
J. Jianguo, W. Qiwen, S. Zhixin, L. Bin, and Q. Biao, “RST-RF: a hybrid model based on Rough set theory and random forest for network intrusion detection,” in Proceedings of the ICCSP 2018: Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, pp. 77–81, Guiyang, China, March 2018.
View at: Google Scholar
V. Hajisalem and S. Babaie, “A hybrid intrusion detection system based on ABC-AFS algorithm for misuse and anomaly detection,” Computer Networks, vol. 136, pp. 37–50, 2018.
View at: Publisher Site | Google Scholar
M. Nivaashini and P. Thangaraj, “A framework of novel feature set extraction based intrusion detection system for Internet of things using hybrid machine learning algorithms,” in Proceedings of the 2018 International Conference on Computing, Power and Communication Technologies (GUCON), pp. 44–49, Greater Noida, India, September 2018.
View at: Publisher Site | Google Scholar
C. Jin, Z. Ye, C. Wang, L. Yan, and R. Wang, “A network intrusion detection method based on hybrid Rice optimization algorithm improved fuzzy C-means,” in Proceedings of the 2018 IEEE 4th International Symposium on Wireless Systems within the International Conferences on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS-SWS), pp. 47–52, Lviv, Ukraine, September 2018.
View at: Publisher Site | Google Scholar
Y. Y. Aung and M. Myat Min, “Hybrid intrusion detection system using K-means and K-nearest neighbors algorithms,” in Proceedings of the 2018 IEEE/ACIS 17th International Conference on Computer and Information Science (ICIS), pp. 34–38, Singapore, June 2018.
View at: Publisher Site | Google Scholar
Y. Y. Aung and M. M. Min, “Hybrid intrusion detection system using K-means and random tree algorithms,” in Proceedings of the 2018 19th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 218–223, Busan, Korea (South), June 2018.
View at: Publisher Site | Google Scholar
S. Soheily-Khah, P. Marteau, and N. Béchet, “Intrusion detection in network systems through hybrid supervised and unsupervised machine learning process: a case study on the iscx dataset,” in Proceedings of the 2018 1st International Conference on Data Intelligence and Security (ICDIS), pp. 219–226, TX, USA, April 2018.
View at: Google Scholar
X. Zheng, Z. Ye, J. Su, H. Chen, and R. Wang, “Network intrusion detection based on hybrid Rice algorithm optimized Extreme learning machine,” in Proceedings of the 2018 IEEE 4th International Symposium on Wireless Systems within the International Conferences on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS-SWS), pp. 149–153, Lviv, Ukraine, September 2018.
View at: Publisher Site | Google Scholar
I. A. Khan, D. Pi, Z. U. Khan, Y. Hussain, and A. Nawaz, “HML-IDS: a hybrid-multilevel anomaly prediction approach for intrusion detection in scada systems,” IEEE Access, vol. 7, Article ID 89521, 2019.
View at: Publisher Site | Google Scholar
G. Waheed and J. Aman, “A new approach for intrusion detection system based on training multilayer perceptron by using enhanced Bat algorithm,” Neural Computing and Applications, vol. 32, no. 15, Article ID 11698, 2019.
View at: Publisher Site | Google Scholar
L. Haghnegahdar and Y. Wang, “A whale optimization algorithm-trained artificial neural network for smart grid cyber intrusion detection,” Neural Computing & Applications, vol. 32, no. 13, pp. 9427–9441, 2019.
View at: Publisher Site | Google Scholar
S. Velliangiri and P. Karthikeyan, “Hybrid optimization scheme for intrusion detection using considerable feature selection,” Neural Computing & Applications, vol. 32, 2019.
View at: Publisher Site | Google Scholar
E. Wisam, A. Akhan, and Z. Abdul, “Evolving deep learning architectures for network intrusion detection using a double PSO metaheuristic,” Computer Networks, vol. 168, Article ID 107042, 2019.
View at: Publisher Site | Google Scholar
H. Soodeh and A. Mehrdad, “The hybrid technique for DDoS detection with supervised learning algorithms,” Computer Networks, vol. 158, pp. 35–45, 2019.
View at: Publisher Site | Google Scholar
S. Wang, C. Xia, and T. Wang, “A novel intrusion detector based on deep learning hybrid methods,” in Proceedings of the 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), pp. 300–305, Washington, DC, USA, May 2019.
View at: Google Scholar
H. He, X. Sun, H. He, G. Zhao, L. He, and J. Ren, “A novel multimodal-sequential approach based on multi-view features for network intrusion detection,” IEEE Access, vol. 7, Article ID 183221, 2019.
View at: Publisher Site | Google Scholar
X. Zhang, J. Ran, and J. Mi, “An intrusion detection system based on convolutional neural network for imbalanced network traffic,” in Proceedings of the 2019 IEEE 7th International Conference on Computer Science and Network Technology (ICCSNT), pp. 456–460, Dalian, China, October 2019.
View at: Google Scholar
I. Aljamal, A. Tekeoğlu, K. Bekiroglu, and S. Sengupta, “Hybrid intrusion detection system using machine learning techniques in cloud computing environments,” in Proceedings of the 2019 IEEE 17th International Conference on Software Engineering Research, Management and Applications (SERA), pp. 84–89, HI, USA, May 2019.
View at: Google Scholar
E. C. Matel, A. M. Sison, and R. P. Medina, “Optimization of network intrusion detection system using genetic algorithm with improved feature selection technique,” in Proceedings of the 2019 IEEE 11th International Conference on Humanoid, Nanotechnology, Information Technology, Communication and Control, Environment, and Management (HNICEM), pp. 1–6, Laoag, Philippines, November 2019.
View at: Publisher Site | Google Scholar
H. Zhang, Y. Li, Z. Lv, A. K. Sangaiah, and T. Huang, “A real-time and ubiquitous network attack detection based on deep belief network and support vector machine,” IEEE/CAA Journal of Automatica Sinica, vol. 7, no. 3, pp. 790–799, 2020.
View at: Publisher Site | Google Scholar
W. A. H. M. Ghanem, A. Jantan, S. A. A. Ghaleb, and A. B. Nasser, “An efficient intrusion detection model based on hybridization of artificial bee colony and dragonfly algorithms for training multilayer perceptrons,” IEEE Access, vol. 8, Article ID 130475, 2020.
View at: Publisher Site | Google Scholar
D. Preethi and K. Neel, “An efficient XGBoost–DNN-based classification model for network intrusion detection system,” Neural Computing & Applications, vol. 32, Article ID 12514, 2020.
View at: Publisher Site | Google Scholar
D. Shubhra, V. Manu, and T. Sarsij, “An effect of chaos grasshopper optimization algorithm for protection of network infrastructure,” Computer Networks, vol. 176, 2020.
View at: Google Scholar
A. K. Shukla, “Detection of anomaly intrusion utilizing self-adaptive grasshopper optimization algorithm,” Neural Computing & Applications, vol. 33, no. 13, pp. 7541–7561, 2020.
View at: Publisher Site | Google Scholar
L. Bouzar-Benlabiod, S. H. Rubin, K. Belaidi, and N. E. Haddar, “RNN-VED for reducing false positive alerts in host-based anomaly detection systems,” in Proceedings of the 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI), pp. 17–24, Las Vegas, NV, USA, August 2020.
View at: Google Scholar
K. Chaouki and K. Saoussen, “A NSGA2-LR wrapper approach for feature selection in network IntrusionDetection,” Computer Networks, vol. 172, 2020.
View at: Publisher Site | Google Scholar
P. Leilei and X. Xiaolan, “Network intrusion detection model based on PCA + ADASYN and XGBoost,” pp. 44–48, 2020.
View at: Publisher Site | Google Scholar
S. Jay and M. Manollas, “Efficient Deep CNN-BiLSTM Model for Network Intrusion Detection,” pp. 223–231, 2020.
View at: Google Scholar
A. Hanane and A. Z. E. Boukhamla, “Two-Stage Intrusion Detection System Based on Hybrid Methods,” 2020.
View at: Google Scholar
S. Velliangiri and H. M. Pandey, “Fuzzy-Taylor-elephant herd optimization inspired Deep Belief Network for DDoS attack detection and comparison with state-of-the-arts algorithms,” Future Generation Computer Systems, vol. 110, pp. 80–90, 2020.
View at: Publisher Site | Google Scholar
C. A. de Souza, C. B. Westphall, R. B. Machado, J. B. M. Sobral, and G. d. S. Vieira, “Hybrid approach to intrusion detection in fog-based IoT environments,” Computer Networks, vol. 180, Article ID 107417, 2020.
View at: Publisher Site | Google Scholar
H. Soodeh and M. H. Z. Behnam, “New hybrid method for attack detection using combination of evolutionary algorithms, SVM, and ANN,” Computer Networks, vol. 173, Article ID 107168, 2020.
View at: Google Scholar
G. Bovenzi, G. Aceto, D. Ciuonzo, V. Persico, and A. Pescapé, “A hierarchical hybrid intrusion detection approach in IoT scenarios,” in Proceedings of the GLOBECOM 2020 - 2020 IEEE Global Communications Conference, pp. 1–7, Taipei, Taiwan, December 2020.
View at: Publisher Site | Google Scholar
K. Atefi, H. Hashim, and T. Khodadadi, “A hybrid anomaly classification with deep learning (DL) and binary algorithms (BA) as optimizer in the intrusion detection system (IDS),” in Proceedings of the 2020 16th IEEE International Colloquium on Signal Processing & Its Applications (CSPA), pp. 29–34, Langkawi Island, Malaysia, February 2020.
View at: Google Scholar
A. Xu, L. Cheng, X. Kuang, H. Lv, Y. Jiang, and B. Li, “A hybrid deep learning model for malicious behavior detection,” in Proceedings of the 2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), pp. 55–59, Baltimore, MD, USA, May 2020.
View at: Google Scholar
H. Mennour and S. Mostefai, “A hybrid deep learning strategy for an anomaly based N-ids,” in Proceedings of the 2020 International Conference on Intelligent Systems and Computer Vision (ISCV), pp. 1–6, Fez, Morocco, June 2020.
View at: Publisher Site | Google Scholar
W. Chen, H. Cao, X. Lv, and Y. Cao, “A hybrid feature extraction network for intrusion detection based on global attention mechanism,” in Proceedings of the 2020 International Conference on Computer Information and Big Data Applications (CIBDA), pp. 481–485, Guiyang, China, April 2020.
View at: Publisher Site | Google Scholar
A. Kumari and A. K. Mehta, “A hybrid intrusion detection system based on decision tree and support vector machine,” in Proceedings of the 2020 IEEE 5th International Conference on Computing Communication and Automation (ICCCA), pp. 396–400, Greater Noida, India, October 2020.
View at: Google Scholar
R. Elhefnawy, H. Abounaser, and A. Badr, “A hybrid nested genetic-fuzzy algorithm framework for intrusion detection and attacks,” IEEE Access, vol. 8, pp. 98218–98233, 2020.
View at: Publisher Site | Google Scholar
J. Malik, A. Akhunzada, I. Bibi, M. Imran, A. Musaddiq, and S. W. Kim, “Hybrid deep learning: an efficient Reconnaissance and surveillance detection mechanism in SDN,” IEEE Access, vol. 8, pp. 134695–134706, 2020.
View at: Publisher Site | Google Scholar
A. A. Abdul Lateef, S. T. Faraj Al-Janabi, and B. Al-Khateeb, “Hybrid intrusion detection system based on deep learning,” in Proceedings of the 2020 International Conference on Data Analytics for Business and Industry: Way Towards a Sustainable Economy (ICDABI), pp. 1–5, Sakheer, Bahrain, October 2020.
View at: Publisher Site | Google Scholar
V. S. F. Enigo, K. T. Ganesh, N. N. V. Raj, and D. Sandeep, “Hybrid intrusion detection system for detecting new attacks using machine learning,” in Proceedings of the 2020 5th International Conference on Communication and Electronics Systems (ICCES), pp. 567–572, Coimbatore, India, June 2020.
View at: Google Scholar
Z. Chkirbene, S. Eltanbouly, M. Bashendy, N. AlNaimi, and A. Erbad, “Hybrid machine learning for network anomaly intrusion detection,” in Proceedings of the 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), pp. 163–170, Doha, Qatar, February 2020.
View at: Publisher Site | Google Scholar
M. H. Ali, K. Al-Jawaheri, M. M. Adnan, A. Aasi, and A. H. Radie, “Improved intrusion detection accuracy based on optimization fast learning network model,” in Proceedings of the 2020 3rd International Conference on Engineering Technology and its Applications (IICETA), pp. 198–202, Najaf, Iraq, September 2020.
View at: Google Scholar
D. Li, D. Kotani, and Y. Okabe, “Improving attack detection performance in nids using gan,” in Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), pp. 817–825, Madrid, Spain, July 2020.
View at: Publisher Site | Google Scholar
P. Pokharel, R. Pokhrel, and S. Sigdel, “Intrusion detection system based on hybrid classifier and user profile enhancement techniques,” in Proceedings of the 2020 International Workshop on Big Data and Information Security (IWBIS), pp. 137–144, Depok, Indonesia, October 2020.
View at: Publisher Site | Google Scholar
A. E. Ghazi and A. Moulay Rachid, “Machine learning and data mining methods for hybrid IoT intrusion detection,” in Proceedings of the 2020 5th International Conference on Cloud Computing and Artificial Intelligence: Technologies and Applications (CloudTech), pp. 1–6, Marrakesh, Morocco, May 2020.
View at: Publisher Site | Google Scholar
K. Jiang, W. Wang, A. Wang, and H. Wu, “Network intrusion detection combined hybrid sampling with deep hierarchical network,” IEEE Access, vol. 8, pp. 32464–32476, 2020.
View at: Publisher Site | Google Scholar
S. N. Pakanzad and H. Monkaresi, “Providing a hybrid approach for detecting malicious traffic on the computer networks using convolutional neural networks,” in Proceedings of the 2020 28th Iranian Conference on Electrical Engineering (ICEE), pp. 1–6, Tabriz, Iran, May 2020.
View at: Google Scholar
D. Mehanović, D. Kečo, J. Kevrić, S. Jukić, A. Miljković, and Z. Mašetić, “Feature selection using cloud-based parallel genetic algorithm for intrusion detection data classification,” Neural Computing & Applications, vol. 33, no. 18, pp. 11861–11873, 2021.
View at: Publisher Site | Google Scholar
G. Pu, L. Wang, J. Shen, and F. Dong, “A hybrid unsupervised clustering-based anomaly detection method,” Tsinghua Science and Technology, vol. 26, no. 2, pp. 146–153, 2021.
View at: Publisher Site | Google Scholar
L. Yang, A. Moubayed, and A. Shami, “MTH-IDS: a multi-tiered hybrid intrusion detection system for Internet of vehicles,” IEEE Internet of Things Journal, vol. 9, no. 1, 2021.
View at: Publisher Site | Google Scholar
W. Seo and W. Pak, “Real-time network intrusion prevention system based on hybrid machine learning,” IEEE Access, vol. 9, Article ID 46397, 2021.
View at: Publisher Site | Google Scholar
C. Liu, Z. Gu, and J. Wang, “A hybrid intrusion detection system based on scalable K-Means+ random forest and deep learning,” IEEE Access, vol. 9, Article ID 75740, 2021.
View at: Publisher Site | Google Scholar
S. Bebortta and S. K. Singh, “An adaptive machine learning-based threat detection framework for industrial communication networks,” in Proceedings of the 2021 10th IEEE International Conference on Communication Systems and Network Technologies (CSNT), pp. 527–532, Bhopal, India, June 2021.
View at: Google Scholar
R. O. Ogundokun, J. B. Awotunde, P. Sadiku, E. A. Adeniyi, M. Abiodun, and O. I. Dauda, “An enhanced intrusion detection system using Particle Swarm optimization feature extraction technique,” Procedia Computer Science, vol. 193, pp. 504–512, 2021.
View at: Publisher Site | Google Scholar
T. Wisanwanichthan and M. Thammawichai, “A double-layered hybrid approach for network intrusion detection system using combined naive bayes and SVM,” IEEE Access, vol. 9, Article ID 138450, 2021.
View at: Publisher Site | Google Scholar
A. Sharma and U. Tyagi, “A hybrid approach of ANN-GWO technique for intrusion detection,” in Proceedings of the 2021 International Conference on Recent Trends on Electronics, Information, Communication & Technology (RTEICT), pp. 467–472, Bangalore, India, August 2021.
View at: Publisher Site | Google Scholar
T. Xiong, G. Lina, Z. Guifen, and Q. Donghong, “A intrusion detection algorithm based on improved slime mould algorithm and weighted Extreme learning machine,” in Proceedings of the 2021 4th International Conference on Artificial Intelligence and Big Data (ICAIBD), pp. 157–161, Chengdu, China, May 2021.
View at: Google Scholar
P. Gao, M. Yue, and Z. Wu, “A novel intrusion detection method based on WOA optimized hybrid kernel RVM,” in Proceedings of the 2021 IEEE 6th International Conference on Computer and Communication Systems (ICCCS), pp. 1063–1069, Chengdu, China, April 2021.
View at: Publisher Site | Google Scholar
T. Kim and W. Pak, “Hybrid classification for high-speed and high-accuracy network intrusion detection system,” IEEE Access, vol. 9, Article ID 83817, 2021.
View at: Publisher Site | Google Scholar
A. K. M. Mashuqur Rahman Mazumder, N. Mohammed Kamruzzaman, N. Akter, N. Arbe, and M. M. Rahman, “Network intrusion detection using hybrid machine learning model,” in Proceedings of the 2021 International Conference on Advances in Electrical, Computing, Communication and Sustainable Technologies (ICAECT), pp. 1–8, Bhilai, Chhattisgarh, February 2021.
View at: Publisher Site | Google Scholar
B. B. Borisenko, S. D. Erokhin, A. S. Fadeev, and I. D. Martishin, “Intrusion detection using multilayer perceptron and neural networks with long short-term memory,” in Proceedings of the 2021 Systems of Signal Synchronization, Generating and Processing in Telecommunications (SYNCHROINFO), pp. 1–6, Kaliningrad, Russia, June 2021.
View at: Publisher Site | Google Scholar
I. Das, S. Singh, and A. Sarkar, “Serial and parallel based intrusion detection system using machine learning,” in Proceedings of the 2021 Devices for Integrated Circuit (DevIC), pp. 340–344, Kalyani, Nadia, India, March 2021.
View at: Google Scholar
J. Shi, Y. Lin, Z. Zhang, and S. Yu, “A hybrid intrusion detection system based on machine learning under differential privacy protection,” in Proceedings of the 2021 IEEE 94th Vehicular Technology Conference (VTC2021-Fall), pp. 1–6, September 2021.
View at: Publisher Site | Google Scholar
W. Wang, X. Du, D. Shan, R. Qin, and N. Wang, “Cloud intrusion detection method based on stacked contractive auto-encoder and support vector machine,” IEEE Transactions on Cloud Computing, 2021.
View at: Google Scholar
T. Saba, T. Sadad, A. Rehman, Z. Mehmood, and Q. Javaid, “Intrusion detection system through advance machine learning for the Internet of things networks,” IT Professional, vol. 23, no. 2, pp. 58–64, 2021.
View at: Publisher Site | Google Scholar
V. Prabhakaran and A. Kulandasamy, “Hybrid semantic deep learning architecture and optimal advanced encryption standard key management scheme for secure cloud storage and intrusion detection,” Neural Computing & Applications, vol. 5, 2021.
View at: Google Scholar
Y. Guan and N. Ezzati-Jivan, “Malware system calls detection using hybrid system,” in Proceedings of the 2021 IEEE International Systems Conference (SysCon), pp. 1–8, Vancouver, Canada, March 2021.
View at: Publisher Site | Google Scholar
L. S. Matsa, P. G.-A. Zodi-Lusilao, and P. F. Bhunu-Shava, “Forward feature selection for DDoS detection on cross-plane of software defined network using hybrid deep learning,” in Proceedings of the 2021 3rd International Multidisciplinary Information Technology and Engineering Conference (IMITEC), pp. 1–7, Windhoek, Namibia, November 2021.
View at: Publisher Site | Google Scholar
S. Amaran and R. Madhan Mohan, “An optimal multilayer perceptron with dragonfly algorithm for intrusion detection in wireless sensor networks,” in Proceedings of the 2021 5th International Conference on Computing Methodologies and Communication (ICCMC), pp. 1–5, Erode, India, April 2021.
View at: Google Scholar
M. Ozkan-Okay, O. Aslan, R. Eryigit, and R. Samet, “SABADT: hybrid intrusion detection approach for cyber attacks identification in WLAN,” IEEE Access, vol. 9, Article ID 157653, 2021.
View at: Publisher Site | Google Scholar
A. Singhal, A. Maan, D. Chaudhary, and D. Vishwakarma, “A hybrid machine learning and data mining based approach to network intrusion detection,” in Proceedings of the 2021 International Conference on Artificial Intelligence and Smart Systems (ICAIS), pp. 312–318, Pichanur, Tamil Nadu, March 2021.
View at: Publisher Site | Google Scholar
L. Zhang and D. Ma, “A hybrid approach toward efficient and accurate intrusion detection for in-vehicle networks,” IEEE Access, vol. 10, Article ID 10866, 2022.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Elijah M. Maseno et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

3563

Downloads

1406

Citations